Did you hear about the City of San Francisco's plight last summer when a member of its IT department blocked access to the network that controls data for its police, courts, jails, payroll, and health services? He blocked access for everyone in the IT department except himself and withheld the password, even after several days in jail. Did that story make you wonder whether your own organization might be vulnerable to such internal sabotage? The System i has an excellent security reputation, but it's not invulnerable. Raz-Lee Security's iSecurity product suite helps detect, report, and prevent breaches at both the infrastructure and the application levels and might be just the product you need to help seal any gaps in your System i stronghold.

Threats from Here

iSecurity's infrastructure security capabilities provide protection in the areas of network access, system audit, user profile management, intrusion detection, compliance, and reporting. The product is a suite of 14 modules: Action, Anti Virus, AP-Journal, Assessment, Audit, Authority on Demand, Capture, FileScope, Firewall, Password, Screen, User Profile Manager, View, and Visualizer. The individual modules are available separately or as part of the iSecurity Prevention Pack and the iSecurity Compliance Pack. iSecurity controls access from all sources, both external and internal, and it controls what users can and can't do, even after they gain access to the System i. iSecurity definitions are all accessible from a few Java-based GUI menus in addition to the native System i interface.

The AP-Journal module is Raz-Lee's new application security product and is available as part of iSecurity or separately as a standalone product. AP-Journal enables realtime auditing of database changes, providing a timeline history of all changes to application data in all business-critical application files and databases. AP-Journal provides answers to batch and online queries regarding changes in application data to help reduce fraud and meet regulatory requirements.

iSecurity ensures that all users can do only what they are allowed do to, when they are supposed to do it — a common compliance requirement. The product restricts user logon to predefined working hours and can automatically disable users during planned absences. It can also automatically disable user profiles that haven't been used recently. iSecurity provides realtime auditing capability to track user activity, along with powerful "after the fact" analysis tools. iSecurity builds a security data warehouse based on security, network access, and system audit journal log files and provides a GUI business intelligence (BI) tool called Visualizer, which can instantaneously "slice and dice" the information, pinpointing breaches in seconds, graphing trends, and providing all required data for documenting breaches (Figure 1). iSecurity uses SYSLOG to export information about realtime events that occur, and it integrates with security information and event manager products such as Tivoli, HP OpenView, CA Unicenter, and similar packages.

Threats from There

iSecurity seals the System i against external and internal threats by protecting all 53 exit points and function servers. System i provides built-in exit points, which can be programmed to allow or disallow specific accesses to the system. Companies generally don't and can't bother with this task. iSecurity provides "smart" exit point capabilities that let clients use the GUI or green-screen checkboxes to specify the conditions under which access through each of these exit points will be allowed or disallowed — for example, accessing an exit point from a specific IP address (or range of IP addresses), a device name, a location (e.g., New York City), or a specific application (e.g., Excel, HR apps). iSecurity also safeguards your critical databases by controlling who is allowed to view, manipulate, or modify the data. It lets the system administrator define which users can perform specific transactions on specific objects, regardless of user location or access method.

iSecurity covers the bases for IBM i safekeeping. In addition to exit-point protection, iSecurity offers IP and SNA address firewalls, user-to-service security, object-level security, remote-logon control (e.g., Telnet, FTP, REXEC), realtime auditing and notification, and BI security analysis. iSecurity lets you know who is accessing your system, who is working with your data, and exactly which objects are being accessed.

Threats from Everywhere

iSecurity provides more than just TCP/IP filtering and protects all System i exit points, servers, and communication protocols and controls access to both native and IFS objects by user and transaction type.

The solution protects unattended terminals by automatically locking them after a specified period of inactivity. Full signoff occurs automatically if a locked terminal isn't released by the user, supervisor, or security officer within a second predefined time period. Users can quickly blank their screen to protect confidential data displays from unauthorized viewing.

iSecurity provides realtime security auditing, and its logs and reports can incorporate multiple audit types and be printed or displayed in time sequence. The product offers realtime notification of security breaches to appropriate personnel via the message queue, LAN, email, or SMS messaging to cell phones. iSecurity provides logical log formatting and full-text explanations for audit data, simplifying analysis for nontechnical system administrators.

Keep Your Systems in Lockdown

As the old maxim goes, anything worth doing is worth doing right — but that doesn't mean it has to be hard or clog your system. iSecurity combines all security definitions, functions, auditing, and reporting into a few, easy-to-use menus and screens. iSecurity employs wizards to automatically analyze history logs and help you formulate security rules, and it uses a "best fit" algorithm that applies security rules. The algorithm determines the validity of any security-related action, hence decreasing system burden without compromising security. iSecurity features a Java-based GUI and an IBM Navigator for i plug-in, in addition to the traditional text-based interface.

You can learn more about iSecurity and download a free evaluation copy of it at Raz-Lee's website. Raz-Lee also offers a free Security Assessment module.

Linda Harty is the security and networking/connectivity editor for System iNEWS as well as the executive editor.

Solution Spotlight is a System iNEWS feature that provides more in-depth coverage of significant System i products. Selections are based on staff perception of the product as significant to the System i market. Source material for Solution Spotlights are user manuals and other documentation provided by product vendors and is not the result of any product testing.

Raz-Lee Security

888-729-5334

razlee.com

iSecurity